NusaSec
← All advisories
CVE-2026-55539High · CVSS 8.6· CWE-306

Auth Bypass async Jobs API leads to unauthenticated job execution, result theft, cancel and delete

Vendor
MervinPraison
Product
PraisonAI
Status
Published · Jun 17 2026
Researchers
riodrwn
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Published
Jun 21 2026

Summary

PraisonAI's async Jobs API (the FastAPI service in praisonai/jobs/) installs its router with no authentication middleware, no router-level dependency, and no per-route auth check. Any caller who can reach the jobs server can submit agent jobs (executed against the operator's configured LLM credentials), list every job in the shared store, read other jobs' results, cancel running jobs, and delete terminal jobs — with no token, cookie, session, or per-job ownership value.

The server's default bind is 127.0.0.1, so remote reach requires an operator to bind a public interface, container-publish, reverse-proxy, or tunnel the service. Once reachable, the primitive is fully pre-authenticated.

This is a distinct, still-unpatched sibling of CVE-2026-44338. That CVE (GHSA-6rmh-7xcm-cpxj, fixed in 4.6.34) covered only the legacy Flask server src/praisonai/api_server.py. The fix added AUTH_ENABLED/AUTH_TOKEN/check_auth() to that file and did not touch the FastAPI jobs module. At the latest commit (9fcac3a, version 4.6.51) the legacy Flask server is patched but the jobs API remains completely unauthenticated.

Technical Detail

Source-to-sink trace

The FastAPI app includes the jobs router with only CORS middleware — no auth (server.py, create_app):

# src/praisonai/praisonai/jobs/server.py
def create_app(store=None, executor=None, cors_origins=None) -> FastAPI:
    app = FastAPI(title="PraisonAI Jobs API", ...)
    # ... CORS middleware only (allow_headers includes "Authorization",
    #     but CORS is not authentication) ...
    jobs_router = create_router(get_store(), get_executor())
    app.include_router(jobs_router)        # no dependencies=[Depends(...)]

The router (built inside create_router()) registers every job operation with no auth dependency. The only Header(...) parameter anywhere is the Idempotency-Key, which is deduplication, not authorization:

# src/praisonai/praisonai/jobs/router.py
router = APIRouter(prefix="/api/v1/runs", tags=["jobs"])
 
@router.post("",          status_code=202)  async def submit_job(request, response, body, idempotency_key=Header(None, alias="Idempotency-Key")): ...
@router.get("")                              async def list_jobs(status=None, session_id=None, page=1, page_size=20): ...
@router.get("/{job_id}")                     async def get_job_status(job_id): ...
@router.get("/{job_id}/result")              async def get_job_result(job_id): ...
@router.post("/{job_id}/cancel")             async def cancel_job(job_id): ...
@router.delete("/{job_id}", status_code=204) async def delete_job(job_id): ...
@router.get("/{job_id}/stream")              async def stream_job(job_id): ...

submit_job() builds a Job from attacker-controlled JSON and submits it. The executor saves and schedules it, and for the default praisonai framework runs the attacker prompt against a real agent:

# executor.py — submit() -> _execute_job() -> _run_agent() -> _run_praisonai_agents()
agent = Agent(instructions="You are a helpful AI assistant.", output="minimal")
result = await asyncio.to_thread(agent.start, job.prompt)   # attacker-controlled prompt

The in-memory store has no owner / principal / user concept. list_jobs() returns the whole store filtered only by caller-supplied status/session_id:

# store.py
async def list_jobs(self, status=None, session_id=None, limit=20, offset=0):
    jobs = list(self._jobs.values())        # global; no owner binding
    if session_id: jobs = [j for j in jobs if j.session_id == session_id]
    ...

A repository-wide grep of jobs/ for Depends|verify|token|authorization|bearer|x-api-key|HTTPBearer|AUTH_ENABLED|check_auth returns only the string "Authorization" inside the CORS allow_headers list. There is no authentication primitive in the module.

Distinction from CVE-2026-44338 (critical for triage)

CVE-2026-44338 (already fixed) This finding
Component Legacy Flask src/praisonai/api_server.py FastAPI praisonai/jobs/
Endpoints GET /agents, POST /chat /api/v1/runs (submit/list/get/result/cancel/delete/stream)
Root cause AUTH_ENABLED=False, AUTH_TOKEN=None, no-op check_auth() No auth dependency, middleware, or token exists at all
Status at 4.6.51 Patched (auth enabled by default, token auto-generated, secrets.compare_digest) Unpatched

The 4.6.34 remediation hardened only the Flask file. The jobs module is a separate code path that the fix did not reach.

Trigger conditions

  1. Start the server, e.g. python -m uvicorn praisonai.jobs.server:create_app --port 8005 --factory.
  2. Make it reachable (--host 0.0.0.0, container publish, reverse proxy, tunnel).
  3. Send unauthenticated requests to POST/GET /api/v1/runs, GET /api/v1/runs/{id}, GET /api/v1/runs/{id}/result, POST /api/v1/runs/{id}/cancel, DELETE /api/v1/runs/{id}.